search

QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
526 stars 46 forks source link

`qubes-firewall`: Allow user chains to jump to Qubes OS system chains #9340

Open 3hhh opened 4 days ago

3hhh commented 4 days ago

The problem you're addressing (if any)

Custom user chains cannot reference Qubes OS VM chains from their code for multiple reasons as custom qubes-firewall user code is only executed once at firewall startup and before Qubes OS creates the VM chains.

This can lead to the qubes-firewall to be bypassed in certain configurations.

The solution you'd like

Currently the qubes-firewall creates chains such as this one:

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept
                iifname != "vif*" accept
                ip saddr 10.1.2.3 jump qbs-10-1-2-3
        }

Instead, create this:

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept
                iifname != "vif*" accept
                jump forward-dynamic
        }

        chain forward-dynamic {
                ip saddr 10.1.2.3 jump qbs-10-1-2-3
        }

This allows users to jump to the forward-dynamic chain and re-use the Qubes OS rules in their custom setups.

The value to a user, and who that user might be

Working qubes-firewall even with custom setups.

Completion criteria checklist

(This section is for developer use only. Please do not modify it.)

3hhh commented 4 days ago

Hm I just noticed that even with my patch, I'll have to go to some lengths to be able to use the new chain as custom-input and the new chain are in two different tables (qubes and qubes-firewall).

So with the patch it'll be better than the current situation (cannot re-use the dynamic firewall rules at all as one cannot jump to hooked chains), but still not simple - probably I'll have to create another input hook in the qubes-firewall table and jump to the new chain from there.

On a side note: It is a bit annoying to have to re-open this issue on every git push.

marmarek commented 4 days ago

On a side note: It is a bit annoying to have to re-open this issue on every git push.

Just put your changes into some new branch, instead of "main".